b"MEMORANDUM\n\nTO             :      G. Mario Moreno\n                      Assistant Secretary\n                      Office of Intergovernmental and Interagency Affairs\n\nFROM           :      John P. Higgins, Jr.\n                      Acting Assistant Inspector General\n                      Analysis and Inspection Services\n\nSUBJECT        :      Results of the OIG Review of OIIA\xe2\x80\x99s Internal Controls Over the\n                      Procurement of Goods and Services (A&I 2000-008)\n\n\nINTRODUCTION\n\nThis memorandum transmits the results of our review of OIIA\xe2\x80\x99s internal controls over the\nprocurement of goods and services. This review is part of OIG's Department-wide\nreview of this area. The Department\xe2\x80\x99s management is responsible for establishing and\nmaintaining internal controls. We will transmit the Department-wide results to the\nDeputy Secretary with copies to the Assistant Secretaries and other senior staff when we\ncomplete our review. On August 10, 2000, OIG staff met with you, your Chief of Staff,\nConnie Jameson, and your Executive Officer, Norman Hall, to discuss the results of this\nreview.\n\nRESULTS\n\nDuring our review in OIIA, we identified instances of possible noncompliance with the\nFederal Acquisition Regulation (FAR) and current Department policies and procedures:\n\n\xe2\x80\xa2    The FAR requires the solicitation of quotes or offers from a reasonable number of\n     sources or sole-source justifications for any purchase of more than $2,500. In our\n     sample of TPDS checks there were fourteen transactions that were over $2,500. Six\n     of the transactions had no documentation to verify that these purchases were made\n     with the solicitation of at least three bids or to justify a sole-source purchase.\n\n\xe2\x80\xa2    We also identified eleven invoices that appear to not have been paid timely as\n     required by the Prompt Payment Act.\n\x0cWe identified certain deficiencies, in addition to the instances of possible non-compliance\nidentified above, that prevent OIIA from satisfying GAO\xe2\x80\x99s Standards for Internal\nControl in the Federal Government. For your information and corrective action, those\ndeficiencies are listed in the attached chart (Attachment A). In the future, we anticipate\nconducting a follow-up review to assess the actions you have taken to satisfy GAO\xe2\x80\x99s\nStandards for Internal Control in the Federal Government.\n\nIn addition, we want to advise you and OIIA managers of inherent vulnerabilities we\nidentified in two Department procurement systems.\n\n\xc3\xbc Purchase Cards \xe2\x80\x93 For efficiency reasons, the Department designed a purchase card\n  system where cardholders can order, receive and approve payments for goods and\n  services. Consequently, as a control, the Department established approving officials\n  to review the use of purchase cards. Therefore, it is important that approving officials\n  properly review all cardholder statements, including invoices, before forwarding them\n  to OCFO for payment.\n\n\xc3\xbc Third Party Draft System (TPDS) \xe2\x80\x93 An individual with signature authority can issue\n  TPDS checks without the involvement of anyone else. Therefore, it is important that,\n  at a minimum, the supervisor of the individual with signature authority conduct\n  periodic reviews of TPDS disbursements.\n\nDuring our review, we noted that two OIIA employees assigned purchase cards are below\nthe minimum grade level (GS-9) required to receive annual ethics training. Because of\ntheir procurement responsibilities, we believe that ethics training would be beneficial to\nthese employees. Management should require them to attend annual ethics training.\n\nOTHER MATTERS\n\nOIIA has Contribution Accounts containing donations in support of activities such as the\nPresidential Scholars program and satellite town meetings. According to OIIA staff, the\nOffice of the General Counsel (OGC) is aware of the Contribution Accounts; however,\nthese accounts should be audited on a regular basis.\n\nOBJECTIVE\n\nOur review objective was to assess the internal controls over compliance with laws and\nregulations for the procurement of goods and services other than studies or evaluations.\n\nSCOPE\n\nWe limited our work to procurements in Washington, D.C. (Headquarters). Although we\ninterviewed staff regarding contracts for the purchase of goods and services, we did not\nreview contract files. We limited testing of accounting records to procurements using\n\x0cthe Third Party Draft System (TPDS) and purchase cards. We did not conduct testing on\nOIIA\xe2\x80\x99s use of \xe2\x80\x9cCorporate\xe2\x80\x9d Government Travel Accounts.\n\nMETHODOLOGY\n\nTo achieve our objective, we conducted interviews with OIIA staff who were involved\nwith the procurement process and we reviewed relevant documents. As part of our work,\nwe reviewed samples of TPDS checks and purchase card transactions. For the TPDS, we\nselected a random sample of 50 TPDS checks issued between October 1998 through\nSeptember 1999 (FY 1999) and October 1999 through February 2000 (FY 2000). There\nare seven cardholders in Headquarters. We judgmentally selected a sample of\ntransactions from purchase card statements dated between January 1999 through May\n2000. Then we selected 71 transactions to review. We also reviewed OIIA monthly\npurchase card statements that were in the Financial Management Policy and\nAdministration Group files for the months of September 1999 and March 2000.\n\nWe based our conclusions about OIIA\xe2\x80\x99s internal controls on the information gathered\nduring our interviews and transaction testing. We conducted our interviews and\ntransaction testing between May 23, 2000 and July 18, 2000. We assessed OIIA's\ninternal controls based on GAO's Standards for Internal Control in the Federal\nGovernment , issued in November 1999. Attachment B to this memorandum contains a\nsummary of the GAO Standards. We conducted our work in accordance with the\nPresident's Council on Integrity and Efficiency (PCIE) Quality Standards for Inspection\ndated March 1993.\n\nWe appreciate the cooperation shown by your staff during our review. If you have any\nquestions regarding the results of this review, please call me at 205-5439.\n\n\nAttachments\n\n\ncc:    Deputy Secretary\n\x0c                                                                          Attachment B\n\n          GAO\xe2\x80\x99s Standards for Internal Control in the Federal Government\n                        Components of Internal Control\n\n\xe2\x80\xa2   Control Environment \xe2\x80\x93 Management and employees should establish and maintain\n    an environment throughout the organization that sets a positive and supportive\n    attitude toward internal controls and conscientious management.\n\n    Factors:\n\n    3 Management and staff maintain and demonstrate integrity and ethical values.\n\n    3 Management maintains an active commitment to competence.\n\n    3 Management\xe2\x80\x99s philosophy and operating style exerts a positive influence on the\n      organization (especially toward information systems, accounting, personnel\n      functions, monitoring and audits).\n\n    3 Organizational structure is appropriately centralized or decentralized, and\n      facilitates the flow of information across all activities.\n\n    3 Agency delegates authority and responsibility and establishes related policies\n      throughout the organization in a manner that provides for accountability and\n      control.\n\n    3 Agency establishes human resource policies and practices that enable it to recruit\n      and retain competent people to achieve its goals.\n\n\xe2\x80\xa2   Risk Assessment \xe2\x80\x93 Internal controls should provide for an assessment of the risks the\n    agency faces from both external and internal sources.\n\n       Precondition: establishment of clear and consistent agency objectives.\n\n       Risk assessment : the comprehensive identification and analysis of relevant risks\n       associated with achieving agency objectives, like those defined in strategic and\n       GPRA annual performance plans, and forming a basis for determining how the\n       agency should manage risks.\n\n       Risk identification: methods may include qualitative and quantitative ranking\n       activities, management conferences, forecasting and strategic planning, and\n       consideration of findings from audits and other assessments.\n\n       Risk analysis: generally includes estimating the risk\xe2\x80\x99s significance, assessing the\n       likelihood of its occurrence, and deciding how the agency should manage its risk.\n\x0c\xe2\x80\xa2   Control Activities \xe2\x80\x93 Internal control activities help ensure that employees carry out\n    management directives. The control activities should effectively and efficiently\n    accomplish agency control objectives.\n\n    3 The control activities are the policies, procedures, techniques, and mechanisms\n      that enforce management\xe2\x80\x99s directives. They help ensure that employees take\n      actions to address risks.\n\n    3 Control activities occur at all levels and functions of the entity, and include a wide\n      range of diverse activities such as approvals, authorizations, verifications,\n      reconciliations, performance reviews, maintenance of security, and creation and\n      maintenance of related records that document the execution of these activities.\n\n\xe2\x80\xa2   Information and Communications \xe2\x80\x93 Employees should record and communicate\n    information to management and others within the entity who need it in a form and\n    within a time frame that enables them to carry out their internal control (and other)\n    responsibilities effectively and efficiently.\n\n    3 An organization must have relevant, reliable, and timely communications relating\n      to internal as well as external events. Information is needed throughout the\n      agency to achieve all its operational and financial objectives.\n\n    3 Effective communications should occur in a broad sense with information flowing\n      down, across, and up the organization.\n\n    3 Management should ensure there are adequate means of communicating with, and\n      obtaining information from, external stakeholders that may have a significant\n      impact on the agency achieving its goals.\n\n\xe2\x80\xa2   Monitoring \xe2\x80\x93 Internal control monitoring should assess the quality of performance\n    over time and ensure that audit and other review findings are promptly resolved.\n\n    3 Includes regular management and supervisory activities, comparisons,\n      reconciliations, and other actions employees take in performing their duties.\n\n    3 Should include policies and procedures for ensuring that audit and other review\n      findings are promptly resolved.\n\x0c                                                                                                                 Attachment A\n\nInternal Control Evaluation Form for the Office of Intergovernmental and Interagency Affairs\n\n\nControl Component     Deficiencies\nControl Environment   \xe2\x80\xa2 Assignment of Authority \xe2\x80\x93 According to OCFO records, three cardholders with spending limits in excess\n                         of $2,500 do not have warrants nor have they taken the small purchase training required to obtain a\n                         warrant.\n                      \xe2\x80\xa2 Training \xe2\x80\x93 One cardholder has not taken purchase card training; however, the cardholder has taken small\n                         purchase training. All procurement staff could benefit from refresher training.\n                      \xe2\x80\xa2 Human Resources \xe2\x80\x93 One cardholder was not allowed to include purchase card responsibilities as a GPAS\n                         rating element because management had characterized the responsibility as \xe2\x80\x9cjust ordering supplies.\xe2\x80\x9d\n\nRisk Assessment       \xe2\x80\xa2   Identification of Risks \xe2\x80\x93 The Executive Officer and other procurement staff should have a more\n                          significant role in OIIA\xe2\x80\x99s Federal Managers\xe2\x80\x99 Financial Integrity Act (FMFIA) reporting process.\n\nControl Activities    \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Although required by the Department\xe2\x80\x99s Directive on Commercial Credit Card\n                          Service (C:FIM:6-102) dated March 12, 1990, OIIA has no written policies and procedures on the\n                          purchase card process.\n                      \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 OIIA appears to make several sole-source procurements. For instance, we\n                          noticed that all but one of the TPDS purchases that we reviewed that were over $2,500 and had\n                          supporting documentation were sole-source.\n                      \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 According to the Department\xe2\x80\x99s simplified acquisition procedures, micro-\n                          purchases (under $2,500) are to be distributed \xe2\x80\x9cequitably among qualified suppliers.\xe2\x80\x9d As a result of\n                          reviewing the card statements for Headquarters for the period of January 1999 to May 2000, we noticed\n                          that OIIA used the GSA Supply Service Center 7 times and used Office Depot 127 times.\n                      \xe2\x80\xa2   Policies and Procedures \xe2\x80\x93 Cardholders should be recording purchases into EDCAPS at the time an order\n                          is placed; instead, the two approving officials have been recording purchases into EDCAPS during their\n                          review of the card statements.\n\x0c\xe2\x80\xa2   Purchase Cards \xe2\x80\x93 We reviewed the September 1999 and the March 2000 statements from OCFO files.\n    Our purpose was to verify that OIIA had submitted all of its monthly card statements with activity to\n    OCFO and that the approving official had signed the card statements. We also reviewed 71 judgmentally\n    selected purchase card transactions.\n    \xe2\x99\xa6 Approval of monthly purchase card statements \xe2\x80\x93 The Executive Officer, one of two approving\n        officials, informed us that he does not sign the statements because there is only one line for a\n        signature on the statements. He assumed that the line was for the cardholder.\n       \xe2\x80\xa2 For September 1999, 14 cards had balances. One statement was missing from OCFO files. None\n            of the statements were signed by an approving official.\n       \xe2\x80\xa2 For March 2000, 16 cards had balances. All the statements were in OCFO files. None of the\n            statements were signed by an approving official. In addition, seven were not signed by the\n            cardholder.\n    \xe2\x99\xa6 Approval \xe2\x80\x93 We were told that the Director/Team Leader, Executive Officer and Assistant\n        Secretary/Chief of Staff approved purchases. This OIIA pre-approval policy was not consistently\n        followed based on the results of our review.\n        \xe2\x80\xa2 Director/Team Leader approved 55 out of 71 samples reviewed.\n        \xe2\x80\xa2 Executive Officer approved 69 out of 71 samples reviewed.\n        \xe2\x80\xa2 Assistant Secretary/Chief of Staff approved 42 out of 71 samples reviewed.\n    \xe2\x99\xa6 Documentation \xe2\x80\x93 Supporting documents such as invoices and receipts were missing for 20\n        transactions, one of which was also missing the office request form.\n\xe2\x80\xa2   TPDS Checks \xe2\x80\x93 We reviewed 50 randomly selected TPDS checks.\n    \xe2\x99\xa6 Documentation \xe2\x80\x93 The file for one of the TPDS checks was not available for review. Principal Office\n        copies of checks were missing for six TPDS checks, which were employee reimbursements.\n    \xe2\x99\xa6 Compliance/Bids \xe2\x80\x93 As mentioned in the cover memorandum, we identified 14 transactions that were\n        over $2,500. There was no documentation to verify that six of these purchases were made with the\n        solicitation of at least three oral bids or to justify a sole-source purchase.\n    \xe2\x99\xa6 Approval \xe2\x80\x93 Eight purchases had no documentation of preapproval by the Executive Officer.\n    \xe2\x99\xa6 Date Stamping \xe2\x80\x93 37 invoices were not date stamped on receipt.\n    \xe2\x99\xa6 Compliance/Prompt Payment \xe2\x80\x93 As mentioned in the cover memorandum, we identified 11 invoices\n        that appear to not have been paid timely.\n\x0c                     \xe2\x99\xa6 Compliance/Reimbursable Costs \xe2\x80\x93 Commuting costs were not deducted from two employee\n                         reimbursements for local travel nor was there an explanation of why such costs were not deducted.\n                 \xe2\x80\xa2   Safeguarding of Assets \xe2\x80\x93 While OIIA maintains a log for metro cards supplied to staff members, the\n                     cards are not numbered and the dollar balances are not recorded when cards are issued.\n\nInformation &    \xe2\x80\xa2   Communication of Key Information \xe2\x80\x93 The Executive Officer stated that he was familiar with the\nCommunications       Department\xe2\x80\x99s Directive on Commercial Credit Card Service (C:FIM:6-102) dated March 12, 1990;\n                     however, the rest of the procurement staff that we interviewed were not familiar with the Directive.\n\nMonitoring       \xe2\x80\xa2   On-going Monitoring \xe2\x80\x93 The supervisor of the individual with signature authority for TPDS checks does\n                     not perform periodic reviews of the EDCAPS reports on the checks issued by OIIA.\n\x0c"